debops.sysctl default variables

General configuration

sysctl__enabled

Enable or disable management of the kernel configuration in the /proc/sys/ directory using Ansible.

sysctl__enabled: True
sysctl__writable

List of paths in /proc/sys/ directory that are considered writable in the current namespace (host, VM, container). The path elements need to be separated by a dot (.) instead of a slash (/). See sysctl__writable for more details.

sysctl__writable: '{{ ansible_local.sysctl.writable
                      if (ansible_local|d() and ansible_local.sysctl|d() and
                          ansible_local.sysctl.writable|d())
                      else [] }}'

Shared memory configuration

sysctl__shared_memory_base

Base amount of memory used for shared memory calculations.

sysctl__shared_memory_base: '{{ ((ansible_memtotal_mb | int * 1024 * 1024) - 8192) }}'
sysctl__shared_memory_shmall_limiter

How much of the total memory is reserved for shared memory.

sysctl__shared_memory_shmall_limiter: '{{ 0.8
                                          if (ansible_memtotal_mb|int >= 4096)
                                          else 0.5 }}'
sysctl__shared_memory_shmall

Number of memory pages that can be used for shared memory.

sysctl__shared_memory_shmall: '{{ ((sysctl__shared_memory_base|int *
                                    sysctl__shared_memory_shmall_limiter|float) / 4096)
                                  | round | int }}'
sysctl__shared_memory_max_limiter

Maximum size of shared memory segment as % of available memory

sysctl__shared_memory_max_limiter: '{{ 0.5
                                       if (ansible_memtotal_mb|int >= 4096)
                                       else 0.2 }}'
sysctl__shared_memory_shmmax

Maximum amount of shared memory a process can reserve for itself

sysctl__shared_memory_shmmax: '{{ (sysctl__shared_memory_base|int *
                                   sysctl__shared_memory_max_limiter|float)
                                   | round | int }}'

Hardening

sysctl__hardening_enabled

Should the hardening options be applied?

sysctl__hardening_enabled: True
sysctl__system_ip_forwarding_enabled

Should the system forward IP traffic for all interfaces? Refer to debops.ifupdown which can selectively enable traffic forwarding.

sysctl__system_ip_forwarding_enabled: False
sysctl__hardening_ipv6_disabled

Whether IPv6 should be disabled.

sysctl__hardening_ipv6_disabled: False
sysctl__hardening_experimental_enabled

Should experimental settings in the hardening options be applied?

sysctl__hardening_experimental_enabled: False

Kernel parameters

These variables define the kernel parameters managed by the role. See sysctl__parameters for more details.

sysctl__default_parameters

The default kernel parameters defined by the role.

sysctl__default_parameters:

  - name: 'memory'
    weight: 10
    options:

      - name: 'kernel.shmmax'
        value: '{{ sysctl__shared_memory_shmmax }}'

      - name: 'kernel.shmall'
        value: '{{ sysctl__shared_memory_shmall }}'

      - name: 'vm.swappiness'
        comment: |
          How aggressively the kernel swaps out anonymous memory relative to
          pagecache and other caches. Increasing the value increases the amount
          of swapping. Can be set to values between 0 and 100 inclusive.
        value: 60

      - name: 'vm.vfs_cache_pressure'
        comment: |
          Tendency of the kernel to reclaim the memory which is used for caching of VFS
          caches, versus pagecache and swap. Increasing this value increases the rate
          at which VFS caches are reclaimed.
        value: 100

  - name: 'network'
    weight: 20
    options:

      - name: 'net.ipv4.ip_forward'
        value: '{{ sysctl__system_ip_forwarding_enabled|bool | ternary(1, 0) }}'
        comment: 'Enable or disable IPv4 traffic forwarding'
        state: 'present'

      - name: 'net.ipv6.conf.all.forwarding'
        value: '{{ sysctl__system_ip_forwarding_enabled|bool | ternary(1, 0) }}'
        comment: 'Enable or disable IPv6 traffic forwarding'
        state: 'present'

      - name: 'net.ipv6.conf.all.accept_ra'
        value: 0
        comment: 'Ignore IPv6 RAs.'
        state: '{{ sysctl__hardening_enabled|bool | ternary("present", "absent") }}'

      - name: 'net.ipv6.conf.default.accept_ra'
        value: 0
        comment: 'Ignore IPv6 RAs.'
        state: '{{ sysctl__hardening_enabled|bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.conf.all.rp_filter'
        value: 1
        comment: 'Enable RFC-recommended source validation feature.'
        state: '{{ sysctl__hardening_enabled|bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.conf.default.rp_filter'
        value: 1
        comment: 'Enable RFC-recommended source validation feature.'
        state: '{{ sysctl__hardening_enabled|bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.icmp_echo_ignore_broadcasts'
        value: 1
        comment: |
          Reduce the surface on SMURF attacks.
          Make sure to ignore ECHO broadcasts, which are only required in broad
          network analysis.
        state: '{{ sysctl__hardening_enabled|bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.icmp_ignore_bogus_error_responses'
        value: 1
        comment: |
          Do not log bogus ICMP error responses.
          Nobody would want to accept bogus error responses, so we can safely
          ignore them.
        state: '{{ sysctl__hardening_enabled|bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.icmp_ratelimit'
        value: 100
        comment: 'Limit the amount of traffic the system uses for ICMP.'
        state: '{{ sysctl__hardening_enabled|bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.icmp_ratemask'
        value: 88089
        comment: |
          Adjust the ICMP ratelimit to include ping, dst unreachable,
          source quench, ime exceed, param problem, timestamp reply,
          information reply
        state: '{{ sysctl__hardening_enabled|bool | ternary("present", "absent") }}'

      - name: 'net.ipv6.conf.all.disable_ipv6'
        value: 1
        comment: 'Disable IPv6.'
        state: '{{ sysctl__hardening_ipv6_disabled|bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.tcp_timestamps'
        value: 0
        comment: 'Protect against wrapping sequence numbers at gigabit speeds.'
        state: '{{ (sysctl__hardening_enabled|bool and
                    not (ansible_virtualization_role == "guest" and ansible_virtualization_type == "openvz"))
                  | ternary("present", "absent") }}'

      - name: 'net.ipv4.conf.all.arp_ignore'
        value: 1
        comment: 'Define restriction level for announcing the local source IP.'
        state: '{{ sysctl__hardening_experimental_enabled|bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.conf.all.arp_announce'
        value: 2
        comment: |
          Define mode for sending replies in response to received ARP requests
          that resolve local target IP addresses
        state: '{{ sysctl__hardening_experimental_enabled|bool | ternary("present", "absent") }}'

      - name: 'net.ipv4.tcp_rfc1337'
        value: 1
        comment: 'RFC 1337 fix F1.'
        state: '{{ (sysctl__hardening_enabled|bool and
                    not (ansible_virtualization_role == "guest" and
                         ansible_virtualization_type == "openvz"))
                  | ternary("present", "absent") }}'

  # The '/proc/sys/fs/' namespace is usually read-only in unprivileged LXC
  # containers. The default 'protect-links.conf' file that comes with the
  # 'procps' APT package has the 'fs.*' parameters uncommented, which breaks
  # the 'sysctl' configuration via the role. Therefore, let's divert the
  # original file and regenerate it; the read-only parameters will be
  # automatically commented out in unprivileged LXC containers.
  - name: 'protect-links'
    filename: 'protect-links.conf'
    divert: True
    comment: |
      Protected links

      Protects against creating or following links under certain conditions
      Debian kernels have both set to 1 (restricted)
      See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
    options:

      - name: 'fs.protected_hardlinks'
        value: 1

      - name: 'fs.protected_symlinks'
        value: 1
sysctl__parameters

This variable is intended to be used in Ansible’s global inventory.

sysctl__parameters: []
sysctl__group_parameters

This variable is intended to be used in a host inventory group of Ansible (only one host group is supported).

sysctl__group_parameters: []
sysctl__host_parameters

This variable is intended to be used in the inventory of hosts.

sysctl__host_parameters: []
sysctl__dependent_parameters

Kernel parameters defined by other Ansible roles via role default variables. These parameters are not tracked by the role, it's best to create configuration files with "weight" number > 50 to ensure that the desired parameters are correctly overridden by sysctl command.

sysctl__dependent_parameters: []
sysctl__combined_parameters

Sysctl configuration file path where all kernel parameters will be configured by debops.sysctl.

sysctl__combined_parameters: '{{ sysctl__default_parameters
                                 + lookup("flattened", sysctl__dependent_parameters, wantlist=True)
                                 + sysctl__parameters
                                 + sysctl__group_parameters
                                 + sysctl__host_parameters }}'